Add support to decrypt separated EncryptedKey

bgaifullin · bgaifullin · commit 2276d516f36d · 2017-07-21T01:09:10.000+01:00
diff --git a/src/enc.c b/src/enc.c
@@ -15,6 +15,7 @@
 #include "lxml.h"
 
 #include <xmlsec/xmlenc.h>
+#include <xmlsec/xmltree.h>
 
 typedef struct {
     PyObject_HEAD
@@ -105,6 +106,18 @@ static int PyXmlSec_EncryptionContextKeySet(PyObject* self, PyObject* value, voi
     return 0;
 }
 
+static const char PyXmlSec_EncryptionContextReset__doc__[] = \
+    "Resets *context*, user settings are not touched.\n";
+static PyObject* PyXmlSec_EncryptionContextReset(PyObject* self, PyObject* args, PyObject* kwargs) {
+    PYXMLSEC_DEBUGF("%p: reset context - start", self);
+    xmlSecEncCtxPtr ctx = ((PyXmlSec_EncryptionContext*)self)->handle;
+    Py_BEGIN_ALLOW_THREADS;
+    xmlSecEncCtxReset(ctx);
+    Py_END_ALLOW_THREADS;
+    PYXMLSEC_DEBUGF("%p: reset context - ok", self);
+    Py_RETURN_NONE;
+}
+
 static const char PyXmlSec_EncryptionContextEncryptBinary__doc__[] = \
     "Encrypts binary *data* according to `EncryptedData` template *template*\n"\
     "Note: *template* is modified in place.\n\n"
@@ -163,12 +176,9 @@ static const char PyXmlSec_EncryptionContextEncryptXml__doc__[] = \
     "Note: The `Type` attribute of *template* decides whether *node* itself is encrypted\n"\
     "(`http://www.w3.org/2001/04/xmlenc#Element`) or its content (`http://www.w3.org/2001/04/xmlenc#Content`).\n"\
     "It must have one of these two values (or an exception is raised).\n"\
-    "The operation modifies the tree containing *node* in a way that\n"\
-    "`lxml` references to or into this tree may see a surprising state.\n"\
-    "You should no longer rely on them. Especially, you should use\n"\
-    "`getroottree()` on the result to obtain the encrypted result tree.\n\n"
-    ":param template: the pointer to <enc:EncryptedData/> template node\n"
-    ":param node: the pointer to node for encryption\n"
+    "The operation modifies the tree and removes replaced nodes.\n"\
+    ":param template: the pointer to <enc:EncryptedData/> template node\n"\
+    ":param node: the pointer to node for encryption\n"\
     ":return: the pointer to newly created <enc:EncryptedData/> node\n";
 static PyObject* PyXmlSec_EncryptionContextEncryptXml(PyObject* self, PyObject* args, PyObject* kwargs) {
     static char *kwlist[] = { "template", "node", NULL};
@@ -273,14 +283,12 @@ static PyObject* PyXmlSec_EncryptionContextEncryptUri(PyObject* self, PyObject*
 }
 
 static const char PyXmlSec_EncryptionContextDecrypt__doc__[] = \
-    "Decrypts *node* (an `EncryptedData` element) and return the result.\n"\
+    "Decrypts *node* (an `EncryptedData` or `EncryptedKey` element) and return the result.\n"\
     "The decryption may result in binary data or an XML subtree.\n"\
     "In the former case, the binary data is returned. In the latter case,\n"\
     "the input tree is modified and a reference to the decrypted XML subtree is returned.\n"\
-    "If the operation modifies the tree, `lxml` references to or into this tree may see a surprising state.\n"\
-    "You should no longer rely on them. Especially, you should use `getroottree()` on the result\n"\
-    "to obtain the decrypted result tree.\n\n"
-    ":param node: the pointer to <enc:EncryptedData/> node\n"
+    "If the operation modifies the tree, it removes replaced nodes.\n"\
+    ":param node: the pointer to <enc:EncryptedData/> or <enc:EncryptedKey/> node\n"
     ":return: depends on input parameters\n";
 
 static PyObject* PyXmlSec_EncryptionContextDecrypt(PyObject* self, PyObject* args, PyObject* kwargs) {
@@ -310,14 +318,16 @@ static PyObject* PyXmlSec_EncryptionContextDecrypt(PyObject* self, PyObject* arg
         }
         // get index of node
         node_num = PyObject_CallMethod(parent, "index", "O", node);
-        PYXMLSEC_DEBUGF("%p, %p", parent, node_num);
+        PYXMLSEC_DEBUGF("parent: %p, %p", parent, node_num);
     }
 
     xmlSecEncCtxPtr ctx = ((PyXmlSec_EncryptionContext*)self)->handle;
-    ctx->flags = XMLSEC_ENC_RETURN_REPLACED_NODE;
     int rv;
 
     Py_BEGIN_ALLOW_THREADS;
+    ctx->flags = XMLSEC_ENC_RETURN_REPLACED_NODE;
+    ctx->mode = xmlSecCheckNodeName(node->_c_node, xmlSecNodeEncryptedKey, xmlSecEncNs) ? xmlEncCtxModeEncryptedKey : xmlEncCtxModeEncryptedData;
+    PYXMLSEC_DEBUGF("mode: %d", ctx->mode);
     rv = xmlSecEncCtxDecrypt(ctx, node->_c_node);
     Py_END_ALLOW_THREADS;
 
@@ -385,6 +395,12 @@ static PyGetSetDef PyXmlSec_EncryptionContextGetSet[] = {
 };
 
 static PyMethodDef PyXmlSec_EncryptionContextMethods[] = {
+    {
+        "reset",
+        (PyCFunction)PyXmlSec_EncryptionContextReset,
+        METH_NOARGS,
+        PyXmlSec_EncryptionContextReset__doc__,
+    },
     {
         "encrypt_binary",
         (PyCFunction)PyXmlSec_EncryptionContextEncryptBinary,
diff --git a/tests/data/enc3-in.xml b/tests/data/enc3-in.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Envelope>
+test
+</Envelope>
diff --git a/tests/data/enc3-out.xml b/tests/data/enc3-out.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Envelope>
+<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+<xenc:CipherData>
+<xenc:CipherValue>HJwrfL7kOIB0QaldMJdza1HitpLCjw+eoult1C6yExDXJ09zKaSQER+pUL9Vt5fm
+d4Oitsf0CUNkjG1xWJdFsftqUIuvYGnkUNhT0vtqoYbdhJkCcB9cCwvTrww2+VTF
+NIasTdechlSD1qQOR8uf6+S94Ae4PVSfWU+5YLTJFpMjR+OT7f6BSbYNv1By6Cko
+G39WTSKTRcVDzcMxRepAGb59r508yKIJhwabCf3Opu+Ams7ia7BH4oa4ro9YSWwm
+hAJ0CN4a6b5odcRbNvuHcwWSxpoysWKbOROQ0H4xC4nGZeL/AXlpSc8eNuNG+g6D
+CTBwsOXCAEJYXPkTrnB3qQ==</xenc:CipherValue>
+</xenc:CipherData>
+</xenc:EncryptedKey>
+<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" MimeType="binary/octet-stream">
+<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+<xenc:CipherData>
+<xenc:CipherValue>4m5BRKEswOe8JISY7NrPGLBYv7Ay5pBV+nG6it51gz0=</xenc:CipherValue>
+</xenc:CipherData>
+</xenc:EncryptedData>
+</Envelope>
diff --git a/tests/test_enc.py b/tests/test_enc.py
@@ -87,7 +87,25 @@ def test_decrypt1(self):
     def test_decrypt2(self):
         self.check_decrypt(2)
 
-    def check_decrypt(self, i, ):
+    def test_decrypt_key(self):
+        root = self.load_xml('enc3-out.xml')
+        enc_key = xmlsec.tree.find_child(root, consts.NodeEncryptedKey, consts.EncNs)
+        self.assertIsNotNone(enc_key)
+
+        manager = xmlsec.KeysManager()
+        manager.add_key(xmlsec.Key.from_file(self.path("rsakey.pem"), format=consts.KeyDataFormatPem))
+        ctx = xmlsec.EncryptionContext(manager)
+        keydata = ctx.decrypt(enc_key)
+        ctx.reset()
+        root.remove(enc_key)
+        ctx.key = xmlsec.Key.from_binary_data(consts.KeyDataAes, keydata)
+        enc_data = xmlsec.tree.find_child(root, consts.NodeEncryptedData, consts.EncNs)
+        self.assertIsNotNone(enc_data)
+        decrypted = ctx.decrypt(enc_data)
+        self.assertIsNotNone(decrypted)
+        self.assertEqual(self.load_xml("enc3-in.xml"), decrypted)
+
+    def check_decrypt(self, i):
         root = self.load_xml('enc%d-out.xml' % i)
         enc_data = xmlsec.tree.find_child(root, consts.NodeEncryptedData, consts.EncNs)
         self.assertIsNotNone(enc_data)
